From e2abc3c2ab215fa39b3b6938dc2e5f04ef5c46bd Mon Sep 17 00:00:00 2001
From: Youngbok Shin <youngb.shin@samsung.com>
Date: Wed, 25 Apr 2018 16:26:05 +0900
Subject: [PATCH] evas textblock: prevent invalid read from a free'd cursor

After calling destructor of an object, render_pre function can be called for that object.
In this case, we need to handle pointer carefully.

@tizen_fix

Change-Id: I6ab50e88402892568b53a25622be621328c67823
---
 src/lib/evas/canvas/evas_object_textblock.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/lib/evas/canvas/evas_object_textblock.c b/src/lib/evas/canvas/evas_object_textblock.c
index 13a2d45..475de4e 100644
--- a/src/lib/evas/canvas/evas_object_textblock.c
+++ b/src/lib/evas/canvas/evas_object_textblock.c
@@ -7865,6 +7865,10 @@ evas_textblock_string_escape_get(const char *string, int *len_ret)
 static void
 _cursor_emit_if_changed(Efl_Text_Cursor_Cursor *cur)
 {
+   /* TIZEN_ONLY(20180425): prevent invalid read from a free'd cursor */
+   if (!cur) return;
+   /* END */
+
    if (cur->changed)
      {
         cur->changed = EINA_FALSE;
@@ -14353,6 +14357,9 @@ evas_object_textblock_free(Evas_Object *eo_obj)
         evas_object_textblock_style_user_pop(eo_obj);
      }
    free(o->cursor);
+   /* TIZEN_ONLY(20180425): prevent invalid read from a free'd cursor */
+   o->cursor = NULL;
+   /* END */
    while (o->cursors)
      {
         Efl_Text_Cursor_Cursor *cur;
-- 
2.7.4